Krebs on Security

In-depth security news and investigation

New Java Exploit to Debut in BlackHole Exploit Kits

Malicious computer code that leverages a newly-patched security flaw in Oracle’s Java software is set to be deployed later this week to cybercriminal operations powered by the BlackHole exploit pack. The addition of a new weapon to this malware arsenal will almost certainly lead to a spike in compromised PCs, as more than 3 billion devices run Java and many of these installations are months out of date.

I first learned about the new exploit from a KrebsOnSecurity reader named Dean who works in incident response for a financial firm. Dean was trying to trace the source of an infected computer in his network; he discovered the culprit appeared to be a malicious “.jar” file. A scan of the jar file at Virustotal.com showed that it was detected by just one antivirus product (Avira), which flagged it as “Java/Dldr.Lamar.BD”. The description of that threat says it targets a Javas vulnerability tagged as CVE-2012-1723, a critical bug fixed in Java 6 Update 33 and Java 7 Update 5.

The attack may be related to an exploit published for CVE-2012-1723 in mid-June by Michael ‘mihi’ Schierl. But according to the current vendor of the BlackHole exploit pack, the exact exploit for this vulnerability has only been shared and used privately to date. Reached via instant message, the BlackHole author said the new Java attack will be rolled into a software update to be made available on July 8 to all paying and licensed users of BlackHole.

Regardless of which operating system you use, if you have Java installed, I would advise you to update it, neuter it or remove it as soon as possible. The reason I say this is that Java requires constant patching, and it appears to be the favorite target of attackers these days.

Windows users can find out if they have Java installed and which version by visiting java.com and clicking the “Do I have Java? link. Mac users can use the Software Update feature to check for any available Java updates.

If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox (from the Add-ons menu, click Plugins and then disable anything Java related, and restart the browser), and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.

Apple stopped bundling Java by default in OS X 10.7 (Lion), it offers instructions for downloading and installing the software framework when users access webpages that use it. The latest iteration of Java for OS X configures the Java browser plugin and Java Web Start to be deactivated if they remain unused for 35 days.

Yes, you can disable Java in IE. On a per-Zone basis, in fact. If you have a few sites that need Java, forcing you to have it installed, then add those sites to the Trusted Sites zone and leave Java enabled there, then disable it in the Internet Zone.

This setting is in Internet Options on the Security tab. Select the Zone you want to change, then click Custom Level and scroll down to nearly the bottom, where you can set scripting of Java applets to the desired setting.

I was under the impression that just about every site I visit regularly is employing some kind of JavaScript, so I’ve always left it enabled, despite the security risk.
It can be a real pain when something doesn’t seem to work correctly, and you have no clear idea why without spending a lot of time tracking it down.

Hmmm…on re-reading what you wrote, and restricting it to Version 10.7 (Lion) as you did, and restricting to Apple not bundling Java in OS 10.7.x, it may be that you are completely right and not misleading.

Without uninstalling Java on my 10.7.4 mac, I can’t be completely certain.

But if I turn off all my Java versions, then go to the Java test page, there is no recommendation from Apple on what to do “for downloading and installing the software framework”. There is just a note on the Java page for Mac users to use Software Update to “check that you have the most up-to-date version…”

Also, if I open a page in LibreOffice and try something from the menus that needs Java, it gives a libreoffice error, but nothing from Apple on what to do.

And, like I said above, Java’s update page doesn’t have a Mac iteration to download, and also refers me to the Mac Software Update. Software Update doesn’t suggest that I download Java, but I have only turned it off, not uninstalled.

My point is that – at best – I don’t think that Apple and Oracle have this all worked out yet for Lion users and that there are still a lot of 10.6 and 10.5 users who are still reliant on Apple for their Java updates.

In addition to turning off Java in the browser, I also have Flash set to require me to click it to run it. A lot of flash exploits run in hidden iframes. This is only a little annoying as I have to click the youtube frame to make it run, but honestly, not having flash-based ads blaring audio when you hit a page is a huge plus as well.

So if we have the latest version of Java (1.6.0_33) on our Windows Operating System, using a Firefox browser are we safe or do we need to take additional steps like removing the older versions of java from the system all together, I don’t’ get it?

Regarding the ComputerWorld article, this is a very good link. Two notes, though: 1) the author was unable to disable Java in Internet Explorer 9, and 2) the author was able to disable Java in Internet Explorer 8 only *AS THE ADMINISTRATOR*.

Nobody runs as the default user in Windows anymore, right? As a technical solution to malware, least privilege beats everything else (just note that it doesn’t always work). Create a restricted user account and use it for day-to-day computing in Windows. Use the default account only to administer the PC (e.g., configuration, install/uninstall software).

I’d have to disagree with Least Privilege beating everything else, it certainly helps the clean up as the Malware is contained within the user’s profile, so a new profile effectively cleans the infection.

I work in an environment where at least 90% of the workstations are running with only user privileges but they still get infected.

The more savvy malware authors long ago made their code “portable” so it doesn’t require administrator privileges to install, if you write to the user’s profile and Current User registry keys and hook into user owned processes then it still works and they get maximum coverage.

As far as Drivebys go Least Privilege and Patching are equally important and if you have the luxury, Firefox with Adblocker Plus and NoScript, means that Drive by infections are a thing of the past.

Unfortunately none of this is easy for the average user and for some it’s a hassle and nowhere near as important as updating their Facebook status.

I’d have to agree with Dean. Most of the threats out there today work just fine on limited account. Granted, the damage may be limited somewhat by infecting an admin account vs. a user account, but if the malware is able to hijack browser sessions, steal passwords and the like, it really doesn’t matter.

It certainly is a good idea to adopt least user privileges on all operating systems. But on the Windows space, in the face of modern malware, the benefits of running under limited account are hardly the same as in years prior.

Brian Krebs wrote:
“Granted, the damage may be limited somewhat by infecting an admin account vs. a user account, but if the malware is able to hijack browser sessions, steal passwords and the like, it really doesn’t matter.

Here’s why I believe it does matter. One recommendation I have made at this site previously and elsewhere is that one should not conduct sensitive online activities (e.g., online banking, securities trading, portfolio management) in their day-to-day restricted user account. Instead, create another restricted user account dedicated to these sensitive online activities. If the day-to-day user account gets owned, it is compartmentalized from the user account used for sensitive activities and one’s passwords, accounts and financial assets are likely to be safe.

Of course, all bets are off if the user installs software (e.g., codecs) containing an MBR exploit, as an example, from an inappropriate site. However, more cautious users adhering to your three rules are more likely to avoid this situation.

P.S. I am not referring to commercial enterprises where your advice is to use either a dedicated PC or a Linux LiveCD for online banking. I am referring, primarily, to consumers that choose to use their Windows, OS X or desktop Linux PC for these activities.

Agree than least privilege is not always effective. Thus, my disclaimer in parentheses, “just note that it doesn’t always work”. A high-profile example of malware that operates in a restricted user account is the Zeus banking trojan. However, MBR-infecting malware, mebroot as an example, will have a difficult time getting to the MBR from a restricted account, especially if the user doesn’t have the Admin credentials to type in when prompted.

As far as enterprise users go, I would be tempted to add various Internet Explorer group policy restrictions along with Software Restriction Policy whitelisting (via gpedit.msc, for both executables and dll’s) or AppLocker for Windows 7.

I agree that it’s hard for home users as most are also the local Admins What to do? In addition to restricted accounts, I usually recommend using Windows Vista/7 built-in Parental Controls to implement application control for each standard user account on the system. What I refer to as Software Restriction Policy “lite”, as dll protection is not provided.

Windows XP Home? I recommend using the Chrome web browser in lieu of Internet Explorer as it is the only browser that is sandboxed on Windows XP. And Windows XP Pro? Again, I recommend using gpedit.msc to implement Software Restriction Policy whitelisting *along with* using the Chrome browser.

Anyhow, these items, other than installing and using the Chrome browser, are not easy for the average user. Their advantage is that they, along with the ability to create restricted accounts, are provided by the Windows operating system. Thus, no 3rd party security software to learn and manage.

One problem with Java is that when it gets updated it sometimes breaks functionality with some management consoles (like Symantec Endpoint Protection). So I can’t just update it, lest I not be able to easily control my anti-virus clients. The solution would be for companies (like Symantec) to NOT use Java for their software!

But because scripts will not run unless they’ve been allowed to run with NoScript, you should never find yourself at the receiving end of a bunch of exploits & Malware, even on an unpatched machine (This is no reason not to patch though!)

Even if the initial compromised site has been white-listed, you will run the malicious script but when you land at the next step scripts will not run again unless they are also white-listed which is extremely unlikely.

The Java VM is sandboxed but the numerous exploits allow the code to break out of it and execute malicious code within the operating system.

The downside? NoScript is a little complex for the average user as thing like YouTube require not only YouTube.com but also the content server for videos to play.

Oh and Firefox is seen as out of fashion now since Chrome but I still recommend it due it’s far superior plugin framework.

As far as I know, none of the web browsers sandbox the java plug-in on any operating system. As for limiting the java plug-in privileges, one can use built-in Windows integrity levels on Windows Vista/7. However, as implemented for Internet Explorer by Microsoft, the java plug-in does not run at low integrity level. Instead, it runs at medium integrity level.

I have created a DIY sandbox on Windows Visa/7 for Firefox (and Opera) using Windows integrity levels that does run the java plug-in at low integrity level. To create a DIY sandbox for Firefox on Windows Vista/7, copy the following commands and paste them into Notepad:

Change USERNAME to your user name. Also, note that all files must be downloaded to folder C:\Users\USERNAME\Downloads (you can make this anything you want, but it must be a low integrity level folder). Save and name the file something like ‘SandboxFirefox.bat’ (the .bat extension is important). Then run the BAT file in either the Vista or 7 command prompt (cmd.exe) as the Administrator by typing in ‘SandboxFirefox.bat’ and pressing the ‘Enter’ key.

Firefox now runs as a low integrity level process. In addition, the Java plug-in runs as a Firefox child process that is also low integrity level. Verify it by downloading and running Sysinternal’s Process Explorer and adding ‘integrity levels’ to the displayed columns. One drawback is that one can no longer apply updates to Firefox as the updater won’t work at low integrity level (there is no privilege broker). Instead, one must download updated Firefox versions from mozilla.com, install updated Firefox on top of the existing version and rerun the BAT file.

Another alternative (perhaps better than the above DIV approach above) is to download and install a 3rd party sandbox application for Windows. Examples include Trustware BufferZone Pro (free) and SandboxIE (both free and paid versions):